Vulnerability (Schwachstelle)
A flaw, design defect, or misconfiguration in software, hardware, or an IT system that attackers can exploit to gain unauthorized access or cause damage.
A vulnerability is a flaw, design defect, configuration error, or weakness in an IT system, application, or process that allows an attacker to gain unauthorized access, steal data, damage systems, or perform other undesirable actions.
The Vulnerability Triangle
A vulnerability alone does not pose an immediate threat. A risk only arises when three factors converge:
Vulnerability (vulnerability present)
+
Threat Actor (attacker with motive and capabilities)
+
Exploit (method of exploitation)
=
Security riskTypes of Vulnerabilities
Software Vulnerabilities:
- Buffer Overflow - too much data overwrites memory areas
- SQL Injection - unfiltered user input in database queries
- Cross-Site Scripting (XSS) - malicious code injected into the browser
- Path Traversal - access to files outside the permitted area
- Insecure deserialization - manipulation of serialized objects
Configuration vulnerabilities:
- Default passwords not changed
- Unnecessary services enabled
- Permissions granted too broadly
- Lack of encryption
- Unsecured cloud storage
Design vulnerabilities:
- Lack of authentication for critical functions
- Insecure protocols (HTTP instead of HTTPS, Telnet instead of SSH)
- No segmentation between network zones
Vulnerability vs. Exploit vs. CVE
| Term | Meaning |
|---|---|
| Vulnerability | The vulnerability itself |
| Exploit | Code/method for exploiting the vulnerability |
| CVE | Unique ID of the vulnerability (e.g., CVE-2021-44228) |
| PoC | Proof of Concept – an exploit demonstrating that the vulnerability can be exploited |
| 0-Day | A vulnerability for which no patch is available |
Responsible Disclosure
When a security researcher or penetration tester discovers a vulnerability, there are two options:
Responsible Disclosure (Coordinated Disclosure):
- Report the vulnerability privately to the vendor
- The vendor has a deadline (usually 90 days) to release a patch
- Public disclosure only after this period
Full Disclosure: Immediate public disclosure—controversial, but sometimes necessary if the vendor does not respond.
Many companies have bug bounty programs—they pay rewards for responsible reporting of vulnerabilities.
Vulnerability Disclosure Policy (VDP)
A VDP is a company’s official policy on how external security researchers should report vulnerabilities. BSI and ENISA recommend VDPs as best practice—even for companies without a formal bug bounty program.
CVSS Rating
Vulnerabilities are rated using CVSS (Common Vulnerability Scoring System) on a scale from 0 to 10—ranging from None (0) to Critical (9.0–10.0). However, CVSS alone is not a complete prioritization tool—the business context and exploitability (EPSS) are equally important.
